curious case of cyber insurance
TRANSCRIPT
Emerging Case of Cyber Insurance
Emerging Case of Cyber Insurance
Security is crucial for a society to flourish otherwise it is only a matter of time before society will
succumb to its sad end or shrink to an unnoticeable size. Societies which exist in today's world have
done two things exceptionally right in their past. One, they have not merely defended themselves
against invaders but attacked also. Two, if they could not beat the invaders, they did business with
them. And such societies are flourishing even today. Others faded.
In today's society digital computing is one of the major agents which are responsible for its
flourishing and prosperity. And hence security of digital computing infrastructure, institution which
rely on this infrastructure and users who get benefitted from these infrastructure and institutions
should be protected.
Today, we have insurance for almost everything which has a market value. We can insure our lives,
and our health. Government mandates that one should insure his vehicle. One can insure his real
estate property. In fact, large insurance companies can provide insurance cover to space missions. If
you understand how insurance work then you can skip a few following lines and start from next
paragraph. Insurance works on simple principle that if N person are 'insured' against an event E, the
probability of occurring event E to all the N persons together (in small time frame) is low and will
decrease as N increases. Consider a scenario where a company insured 100,000 people against
losing their lives for a modest fee of Rs. 10000 per annum for a period of 10 years. So, an insured has
to pay Rs 10000 every year for 10 years and if he dies, then insurer will pay him big amount say
Rs15,00,000. So company collected 100,000 x 100,000 in ten years and will pay 15,00,000 to family
members of deceased one. The most unfavorable case for insurer is death of all 100,000 persons and
most favorable case is of everyone surviving.
So insurer needs some analysis of an individual who seeks insurance. Insurer, will prefer
persons from various localities whose death rates are low. Now insurer can say that event E is highly
improbable and if it occurs it is really unfortunate and victim should be compensated for that. Such
companies can even share their profit for steps towards health programs which in turn help society
and companies.
Cyber insurance can be (and is) a lethal weapon against cyber attacks on enterprises. As human
being is mortal, an organization is always in danger of being breached. An organization can be
compromised either because of its loose security policies, unaware users or backstabbing employees
and highly lethal security attacks.
Cyber insurance will work on strict security principles. If an organization is insured then insurer will
pay for damages happened due to cyber security attacks. Cyber Insurer would like to prefer
organizations which are good at security and has low chances of being breached. Insurer would also
try its best to make sure that it does not insure an organization which is no way serious for security.
As always, they generally insure only for highly improbable events. Now, if an organization keeps
everything in place and spent millions of dollars on security and was never breached for say, 7 years.
A security attack happened and organization lost some business then it can be compensated against
these damages.
Emerging Case of Cyber Insurance
The new emerging business model of cyber insurance will have two though indirect but serious
impacts:
1. Cyber security of course is big business but it is highly technology based only. Cyber
insurance will make it more commodity based and couple it tightly with finance industry.
This will pressurize the stakeholders to take serious steps towards security, standards and
their enforcement. Eventually, Cyber insurance may become key driver for international
internet police.
2. Cyber security insurers will themselves adopt attacking methodologies against cyber attacks
and will force (or inspire) insured parties to be carefully defensive against cyber attacks.
Here little correlation between society surviving secrets and impacts of cyber insurance can be
drawn.
Three basic questions need to be answered to put any insurance business in operation.
1. Which improbable event organization can be insured against?
2. What will be insurance claim amount in case of event occurred?
3. What will be mode of paying premium and how much premium has to be paid?
Cyber Insurance as a case has two specific challenges which are not yet solved completely and hence
presents lucrative opportunities for researchers as well.
First challenge, advanced technologies are required (in their matured phase) to assess the security
standards deployed in a particular organization and risk associated with it. These two things if can be
quantified, then only it will become possible for an insurer to state that on what terms he can
provide insurance policy to prospective insured. We will also need advance forensics techniques to
verify the validity (or genuineness) of a cyber attack happened.
Second, innovative business models need to be explored and tough questions need to be answered
in the language of insurance providers.
Cyber insurers are expected to bank on big data analytics to determine the expectancy rate of
attacks for typical group of enterprises. Once cyber insurance policy are open in market, CISO has to
choose the right policy for their organization. They need to be quite clear what they want to insure
against. For example:
1. Loss in business due to shutdown hours
2. Loss in brand value due to data theft
3. Loss of employee productivity
4. Loss of infrastructure damage
Cyber insurance is almost ready to play a larger role in the enterprise security and risk policies. With
this new paradigm shift in the risk management skills like big data analytics, security standards
compliance testing, risk quantification approach and forensics are also expected to play important
roles.